Tasks Package

Conforma expects that a set of tasks were included in the pipeline build for each image to be released. This package includes a set of rules to verify that the expected tasks ran in the pipeline when the image was built. Required tasks for a pipeline are specified in a data source provided at runtime. This data source features two primary rule data keys: pipeline-required-tasks and required-tasks. The pipeline-required-tasks key lists all required tasks broken down by pipeline name, while required-tasks details a default or baseline set of tasks. If your pipeline corresponds to an entry under pipeline-required-tasks, those tasks will be prioritized; otherwise, the system will default to the tasks listed under required-tasks. Required tasks are listed by the names given to them within the task definition. Optionally invocation parameter of a Task can be also mandated by including the name and the value in square brackets following the name of the task. For example: name[PARAM=val]. Only single parameter is supported, to assert multiple parameters repeat the required task definition for each parameter seperately.

Package Name

  • tasks

Rules Included

All required tasks are from trusted tasks

Ensure that the all required tasks are resolved from trusted tasks.

Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

  • Rule type: WARNING

  • WARNING message: %s is required and present but not from a trusted task

  • Code: tasks.required_untrusted_task_found

  • Source

All required tasks were included in the pipeline

Ensure that the set of required tasks are included in the PipelineRun attestation.

Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as data under the key 'required-tasks'.

  • Rule type: FAILURE

  • FAILURE message: %s is missing

  • Code: tasks.required_tasks_found

  • Source

Data provided

Confirm the expected data keys have been provided in the expected format. The keys are pipeline-required-tasks and required-tasks.

Solution: If provided, ensure the data is in the expected format.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: tasks.data_provided

  • Source

Future required tasks were found

Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.

Solution: There is a task that will be required at a future date that is missing from the build pipeline.

  • Rule type: WARNING

  • WARNING message: %s is missing and will be required on %s

  • Code: tasks.future_required_tasks_found

  • Source

Pinned Task references

Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.

Solution: Make sure the build pipeline uses Tasks via pinned references. For example, if the git resolver is used, use a commit ID instead of a branch name.

  • Rule type: FAILURE

  • FAILURE message: Task %s is used by pipeline task %s via an unpinned reference.

  • Code: tasks.pinned_task_refs

  • Source

Pipeline run includes at least one task

Ensure that at least one Task is present in the PipelineRun attestation.

Solution: Make sure the build pipeline ran any tasks and that the build system is generating a proper attestation.

  • Rule type: FAILURE

  • FAILURE message: No tasks found in PipelineRun attestation

  • Code: tasks.pipeline_has_tasks

  • Source

Required tasks list for pipeline was provided

Produce a warning if the required tasks list rule data was not provided.

Solution: The required task list is contained as data under the key 'required-tasks'. Make sure this list exists.

  • Rule type: WARNING

  • WARNING message: Required tasks do not exist for pipeline

  • Code: tasks.pipeline_required_tasks_list_provided

  • Source

Required tasks list was provided

Confirm the required-tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure the data sources contains a key 'required-tasks' that contains a list of tasks that are required to run in the build pipeline.

  • Rule type: FAILURE

  • FAILURE message: Missing required required-tasks data

  • Code: tasks.required_tasks_list_provided

  • Source

Successful pipeline tasks

Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.

Solution: Make sure the build pipeline is properly configured so all the tasks can be executed successfully.

  • Rule type: FAILURE

  • FAILURE message: Pipeline task %q did not complete successfully, %q

  • Code: tasks.successful_pipeline_tasks

  • Source

Task version unsupported

The Tekton Task used is or will be unsupported. The Task is annotated with build.appstudio.redhat.com/expires-on annotation marking it as unsupported after a certain date.

  • Rule type: FAILURE

  • FAILURE message: Task %q is used by pipeline task %q is or will be unsupported as of %s. %s

  • Code: tasks.unsupported

  • Source